Pages

Sunday, June 5, 2011

There has been a lot of speculation recently on how much sensitive data a hacker can find on personal email accounts, considering it is against the rules in most places to use personal accounts for work . Although there are strict rules for classified messages and documents, the intruders are often satisfied with just sensitive or just informational messages for building the picture they need. While I don't know how strict the rules are at the White House, the following behavior is common for at least some US Government offices and for many companies. This information is from my own knowledge, as well as accounts of people working for the US Government, military, as well as Fortune 500 companies, non-government research institutions, and other places.

I am sure you will find none of these scenarios surprising, they all are very common.

SIX WAYS SENSITIVE DATA FINDS ITS WAY TO PERSONAL EMAIL ACCOUNTS
1. Google Apps accounts are often created in addition to corporate/work mail to alllow easy document sharing between different companies - for one project, or as a permanent setup
2. Employees create autoforwarding of all work emails to their personal accounts for easy reading on personal mobile devices (not everyone has work-issued mobile device)
3. Employees, regardless of their employer, need to communicate with people who work elsewhere. They cannot control whether their recipients use free webmail or what they do with their mail - and their recipients can be targeted
4. Employees often trust personal webmail more than their work accounts for privacy reasons. They know their work mail is heavily monitored, archived, filtered and they sometimes need to say something to each other "off the record". This may include work related topics, their supervisors, etc.
5. Employees, especially when traveling, often manually forward selected messages from work to personal accounts. This is because it is easier to check personal accounts rather than logging in with smart cards, RSA keys, VPN just to refer to a few things they may need for work during their travel or work at home period.
6. Employees may forward mail to personal accounts before leaving their job - some places allow auto-forward and in others you can do it manually. People forward contacts or important messages that they may need after they start a new job

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.